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[57] ABSTRACT 

A computer-based method and system for capturing and 
verifying a handwritten signature. The handwritten signature 
may relate to a document, such as an electronically stored 
document An image of the document is displayed. A user 
signs the document electronically, and the handwritten sig- 
nature is electronically captured. A set of measurements 
relating to the handwritten signature is determined and 
stored in a signature envelope. Optionally, a checksum of a 
checksum of the document can be determined and stored in 
the signature envelope. The claimed identity of the signatory 
can also be stored in the signature envelope. The signature 
envelope is encrypted. The signature envelope can be com- 
municated to another application or computer platform, or 
stored for later verification. The signature envelope is 
decrypted, and the set of measurements stored in the signa- 
ture envelope are compared against a known set of hand- 
written signature measurements to verify the identity of the 
signatory. The system includes a database of signature 
templates storing verified signature information. The veri- 
fied set of signature measurements are compared with the set 
of measurements stored in the signature envelope to obtain 
a similarity score. The present invention includes a gravity 
prompt feature to alert the signatory as to the nature, 
seriousness and/or contents of what is being signed. The 
gravity prompt can be stored in the signature envelope as 
part of the record of the signing event 

29 Claims, 10 Drawing Sheets 
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METHOD AND SYSTEM FOR THE There are many areas today where, despite the availability 

VERIFICATION OF HANDWRITTEN of computeiized documents, it is necessary to rely upon 

SIGNATURES paper because of the Legal or cultural requirement far a 

signature. 

This application is a continuaiton of application Ser. Na 5 Thus, it is often the case that a hardcopy of a document 
08/298,991* filed on Aug. 31, 1994. now ILS. PaL Na is preferred to that same document in a digital or electronic 
5344,255. format For example, a wiD or contract for the transfer of 

land is required by law in most jurisdictions to be in writing 
FIELD OF THE INVENTION and to include original handwritten signatures of the parties 

^ . „ . ^ - , . , rt and witnesses to the document When a document is in 

TTier^mvenbonis directed to method and 10 eted ^ 1 ^ bemft ^ 

for storing handwritten signatures in an electronic : format me contents of the document it is often uncertain if a 
and in particular, to a method and system operatable on a document viewed at a later date is the same as the document 
pliirality of platforms for verification of electronically stored Q^naUy created. Although handwritten signatures cap- 
handwritten signatures and rela ted documents. tured using pen input facilities can be incorporated in the 
mwoTmrr lsirrnru 15 text cf such documents, one is never certain if a document 
twiKium mhjlx viewed at a later date is the one that was "electronically" 
A portion of the disclosure of mis patent document signed, 
contains material which is subject to copyright protection. Accordingly, it would be desirable to apply the science of 
The copyright owner has no objection to the farghmle handwritten signature capture and verification to a much 
reproduction by anyone of the patent document or patent 20 wider context than as a security access mechanism. In 
disclosure as it appears in the Patent and Trademark Office, particular, there exists a need in the area of testifying to an 
patent file or records, but otherwise reserves all copyright intent ion (such as, for example, signing a legal document) 
rights whatsoever; for a secure signature capture and verification method that 

relates the document signed to the signature of the signer. 

BACKGROUND OF THE INVENTION 25 Existing systems have focused on whether an electronic 

Many computer systems, bom static and portable, have of * »^*nre has been rmiupulated after it was 

been designed so that a user may enter data by means of a created and whether _an electronic version * » «y«™ 

c~fw™~ *~ *™,4™v:.w, associated with an electronic document was captured at the 

pen and a digitizer. Software exists to translate handwriting f nn <^Miny> «»k;,4, ;* tv^Znip rre 

„ -Z~a ~+~~a~a «~~k~,*;™. *uZ time at a transaction to wnicn it relates. For example, U.5. 

^^^f^T^^^^^^^! 30 Pat No. 5,195,133 to KappetaLde* 

FSZ^l ^i^T^LtJ^JT^^ attempts to assure that a signature piirportedly approving a 

faci^ the use of computers by i^^amihar wnh or ^ v^^ar^^th^^^ 

unsmed in the use of computer keyboards. Moreover, the t^r^tr^Dsa^Ziis notaTmrine signature obtained^ 

use (rfpe^r^ccmputers, and die storageami transport of sorr*c4herc>ccasionan^ 

informanonm d^al form, realizes an important commer- rf ^ transacdoiL ^ the K« rtl 

aal benefit-mereduction or elmiuiation of the use of paper. 35 ^ Cfeates a ^ rccxrdTa transaction,^^ a 

Digitizers typically sample the position of the pen np digital reoresentaticm of a signature at the time of the 

around one hundred times a second, and are sensitive to transaction, and then uses the digital record of the transac- 

movements of one seventieth of an inch. They are thus tion to encrypt the digital representation of the signature, 

capable of very accurately recording the movement of the ^ This method aims to ensure that the representation of the 

human hand. Computer signature verification can exploit signature was made when it is said it was made. However, 

this by analyzing not only the visible shape of the signature a SYStem ^ verify jf ^ document mat was 

but also dynamic aspects such as speed and rhythm. signed using a digitally captured handwritten signature has 

Algorithms exist that can take pen-based input (such as a been later modified. Moreover, systems such as the Kapp et 

handwritten signature), determine the fundamental charac- ^ aL system require a transaction, ««l are incapable of opera- 

terisncs of the pen-based input, and represent the character- tion where a signature is to be captured and verified in an 

istics of the pen-based input in an electronic format Algo- environment " n rH a fr d to a transaction, 

rithms also exist that can deternnneif tiandwrhtensigiiatiira Existing handwritten capture and verification systems are 

in electronic format are that of the same person. For designed fc* use on a smgleplatf^ 

example, see U.S. Pat No. 5.109,426 (U.K Application Na ^ signature is encoded in such a way that oAer applications are 

90 243833), U.S. Pat No. 4,495,644 and UX Application not capable of utihztng the electronic form of thehandwrit- 

Na 1480066, all expressly incorporated by reference herein. ten signature. By virtue of today's advanced computer-to- 

Signature verification can make a highly significant con- computer communications, including communication over 

tribution to computer security, in that all other security the Internet, man y applications will not require that verifi- 

mechanisms rely upon what a person knows (eg., a 55 cation be performed upon the same machine or at die samfc 

password) or possesses (eg., a physical key). By relying rime as the act of signing itself. For example, it would be 

instead on an aspect of physical behavior which cannot be desirable for a system to enable a handwritten signature to 

stolen or divulged, signature verification offers secure evi- be captured electronically on one device, stored, electroni- 

dence as to the real identity of. the user. caHy t ransmitte d to another device on another computer 

To date, signature verification has been employed mainly £0 platform, and later verified. Accordingly, there is a need for 

in the area of access security, with the object of verifying the an integrated cross-platform signature verification system. 

identity of an individual before giving the user access to all In particular, there is a need for a system that does not 

or part of a computer system. presuppose any particular underlying hardware, and is 

However, traditional signatures made on a piece of paper designed to be portable across different types of computer 

are used to witness intentions in such contexts as signing a 65 and operating system. 

contract or wfiX and as a shield against repudiation as when Many businesses and government departments often 

signing a money order. require people to sign documents. For example, when buy- 
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ing goods by check or credit card, when signing a car rental recording) the act of signing. The signature envelope stores 
agreement, when entering a lease, when applying for a certain data associated with the manual inscription of a 
driver's license or other government rxsmit, on election day signature captured in electronic form, for example, on a 
or to certify att e ndance at an examination. Often, the person compater screen of a pen-based computer. Topically, the 
requesting the signature does not know the individual who s signature capture module is called and controlled by, and 
is required to sign, and does not have an authentic signature cornmunicates with, a client application, 
of the signer to cornpare with the requested signature. For example, the client application may require a hand- 
Moreover, even if an antnentic signature is available for written signature for a document The client application calls 
comparison, the person requesting the signature often is the signature capture module, which will display on the 
onskflled in determining whether two signatures are from to screen a signature capture window and request that the user 
the same person. Accordingly, there is a need for a system inscribe ids or her signature (far example, using an dec- 
that allows a signature to be captured electronically in one trorric styms) to this window on the computer's screen. The 
location, electronically transmitted to a central location that client applicant inay s^ 

has recorded verified signing behavimof inanyindrviduals, nif» an irWi^ ration of mr ^^nnneiit bring signed and/or tht 

and returns an iudication of the identity of the signer. is reason why (or importance of) the document being signed. 

In certain situations, a person who has signed a contract This information, called a gravity promp t, «>n be displayed 

nr other legal doriimftnt nriTI allwujil to terminatR fwt or her to the nser hy fhet signafhwp tai jilme mortnl^ in thr signature 

obligations by d aiming at a later date that he or she did not capture window. This allows the user to malm sure that the 

understand the nature of the document being signed or that document being signed is the one that the user believes he 

he or she was misled when signing the document Moreover, 20 or she is signing, and moreover, alerts the user to reason for 

in a mimi-windowed computing euvxronruent, a person and the gravity of the act of signing, 

signing a docnrneirt eleetremcalty may not be sure which As the user signs the document, (e.g^ by moving the pen 

document stored on the coanputer he or she is actually or stylus across the screen), an image appears triat traces the 

sigm^Itwc^beusefulif a record was niade at the time movement of the styms. Thus, the user's signature (or 

of signin g (that could later be retrieved) that records what 25 autograrii) is displayed to the user. At the time of signing, 

tt} e signer was told when signing a document and, before the signature capture module measures certain features of 

signature, alerts the signer as to the identity, nature and the act of signing, such as, for exampde, the size, shape and 

gravity of the documeiit briig signed, relative rationing of the curves, loops, lines, dots, crosses 

In short, there is a need for a system that takes advantage and other features of the signature being inscribed, as well 

of the increasing availability of these pen-based input 30 as the relative speed at which feature is being Imparted, 

devices by enabling the application of handwritten signature These measurements can be termed "act^tf-signing mea- 

capture and verification technology to be ased in the diverse surements". 

contexts where signature capture is needed. in the representative embodiment of the present 

SUMMARY OF THE INVENTION 35 mv ^ 0 *> ^f^^^^^l"^ " * 

sum of the document that was signed. The document check- 

The present invention provides an integrated method and sum can be used at a later date to verify that the document 
system for the electronic capture of a handwritten signature, alleged to have been signed is the one that was signed, and 
storage of the handwritten signature in electronic farm, farther, that no change to that document has been 
electronic transportation of the ca ptured handwritten ^ hi the representative embexfament, the document check- 
signature, and a ut hentica tio n of the captured haiiAvritten sum is iiot a complete statement the original document, 
si gn at ure. and the original document cannot be derived from the 

When used herein, the term ^signature" means the haiu^ dc«nmerftchecksurrLThedo 

written mark made by a rxxson thai represents that r ematical rriationsnip to the document ff the document is 

intent or assent It includes what is usually regarded as a ^ changed, then it can no longer be mathematicalry ™tr4>eri 

person's autograph. The term "signed** has a corresponding with the rfoyfecnf n 

meaning, and includes any symbol executed or adopted by hi an alternative embodmient, a compressed rejxesenta- 

a party with present intention to authenticate a writing, don of the document that was signed can be created in 

where such writing may be in an electronic format It is addition to, or as an alternative to, the document rWfrqirn 

noted that the term "signature** as used herein does not ^ The signature capture rro 

include what has come to be known in computer science inter aha, the act^agmng statistics, the time and date of 

fields as a "digital signature**, Le., an electronic code that is signing, the claimed identify of the signer, the words that 

used to establish the identity of the person creating or appear to tip gravity proir^ 

sending an electronic document A "digital sig^tae* has optionally, data reraesentrng a grarto image of 

the function of replacing a hamrwritten signature, with a ^ ^ signature capture module creates a signature 

secret a^ha-riumeric "key** supplied to a given iiidrvidual, envelope that conmrises this encrypted data. In the repre- 

wirich then has to be kept secret In contrast, the present sentative embodiment, the signature envelope is an 

invention is directed to electiomcalry capturing encrypted string c^o^Acccrdu^ 

lating a person's hano^vritten signature. is a secure way to represent the inscription event 

m the representative embodiment, the present mvention According to the representative embodiment, the client 

utilizes known j*®^ ajmlicationcaimotdecr^ 

handwritten signatures. in the signature errsrdope. 

The representative ernbc^liment of the present invention The signature verification module reports the probability 

comprises a signature capture module, a signature verifica- that a particular signature is authentic. The signature veri- 

tion module and a template database. &5 fication module has access to the template database. The 

The signature capture module captures the signature of a template database stores a plurality of templates. Each 

person and creates a signature envelope representing (or tempiate includes actn>f-signing statistics for a person and 
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the known identity of that person. Each template is created 
dining a controlled enrollment process, and stored in the 

template datahaye fcff later access. 

la the representative embodiment, the signature verifica- 
tion module and template database may be located at a 
remote location, accessible by many client applications. For 
example, the signature verification moctnle and template 
database may be located at a central independent signature 
verification bureau. In an alternative embodiment, the sig- 
nature verification module and template database are located 
upon the local system, accessible by the client application 
when necessary. 

When a client ar^ilication wishes to verify a signature, the 
client application passes the signature envelope representing 
the signature to be verified to the signature verification 
module. It is noted that each client application can have 
verified signatures that were created by that client 
ar^lication, or that were created at an earlier time by other 
difrTit applications. 

For example, the sigi inline capture module may reside on 
many computers, such as, for example, a fleet of portable 
pen-based cornpoters, while the signature verification mod- 
ule may reside on a single host computer. The portable 
computers might capture numerous signatures over time, 
(and thereby create numerous signature envelopes) and 
transmit them to the host computer for verification. 

When the signature verification module is presented with 
aparrinilar signature envelope, it can be directed to evaluate 
whether the signature envelope is a product of an authentic 

inscription of the signature helnnging tn the iwr identified 
in the signature envelope. The signature verification morfnie 
can decrypt the signature envelope and c ompar e the infor- 
mation therein with the signature templates stored in the 
template database. Based on this comparison, the signature 
verification module can determine a signature match per- 
centage (e^g., 78%) and report mis, and other information 
stored in the signature envelope, to the client application. 

Accordingly, the present invention enables electronically 
captured handwritten signatures to be used in the same 
contexts as traditional paper signatures. Signatures captured 
according to the present invention will exceed the "perfor- 
mance'* of traditional signatures by using computer technol- 
ogy to assist in the detection and prevention of forgery and 
fraud. 

The present invention is designed fur use in exjunction 
with existing software programs, for example, as a software 
cornrx)Beirt to be activated by om^ 
present invention can be used as part of a security program 
to allow a user access to a c ompute r network, as part of a 
word processing program, or as part of an e-mail program 
(e^., to verify me identity of a sender of an e-mail message). 
The present invention takes care of the processing which 
specifically relates to signature capture and verification. (As 
used herein, the programs making use of the services of the 
modules of the present invention are termed "client 
programs**.) 

Thus, client programs may use the present invention to 
capture signatures for all kinds of purposes. The present 
invention enables the traditional manner of indicating agree- 
ment (a fiandwritten signature) to be carried forward into 
new technological environments, while avoiding the need 
for paper. For example, the signature capture module of the 
present invention might be made to reside in a cable tele- 
vision converter unit (sometimes called a "set-top box**) that 
is fitted with a digitizer so that a viewer can authorize the 
supply of various goods and services using the present 
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invention, Signatm eg on fflphimri u/raiM he t ransmitted harfr 

down the line to the provider's system where they can be 
subniitted to a signature verification module prior to 
delivery, and then archived as a record of the event An 

5 advantage of this method is that the members of a household 
can be mdrviduated (for example, parent, child, etc) without 
reqinring them to carry and secure personal cards, or fur- 
nishing them with "secret" numbers and the Hfe The 
present invention can easily be enhanced by implementing 

10 the signature capture m nd nte within a handheld remote 
control unit fitted with a suitable touch-sensitive digitizer, 
for example, on its reverse side. 

Another example is in applying for a loan to purchase a 
vehicle while at a car dealership. A handwritten signature 

15 could be captured by the signature capture module. The 
resulting signature envelope could then be submitted to an 
independent signature verification bureau. The verification 
score returned could then be figured into the overall credit 
assessment before the applicant is allowed possession of a 

20 vehicle. 

Signatures may also be captured where subsequent veri- 
fication is either not required or even possible where a 
signature provided by an individual to a signature recipient 
is the first sample. Examples include a marriage license 
25 affidavit signed by both bride and groom, a hotel register 
signed by a guest, and a parcel delivery note signed by the 
recipient. 

Thus, for example, a signature can be transmitted to a 
^ remote site for verification before allowing access to the 
remote computer system; or a signature may simply be 
stored in a computer archive as a record that a particular 
person approved a particular document or transaction; or it 
may be desirable to verify a signature irnmediately in order 
^ to decide whether to allow the user access to a particular 
electronic document To this end, the present invention 
provides extensive functionality to the client program. 

The present invention does not allow signature data 
(especially, the signature envelope) to become subject to 
43 fraudulent misuse. Client programs can not access signature 
data except in encrypted form, nor can they obtain infor- 
mation which would be of material assistance to a prospec- 
tive forger 

A unique security feature of the present invention is that 

45 rather man transmitting the raw signature data to the verifier 
(Le., rather than allowing the signature capture module to 
transmit raw signature data to the signature verification 
module), feature extraction is caxriedVout at completion of 
capture. The raw signature data is, in the representative 

50 embodiment, not stored in the signatrrre envelope nor made 
available at any stage to the client program. This makes it 
impossible to recreate raw signature data through the exami- 
nation of the signature envelope and subsequently to 
re-inject the raw signature data into the system. This also 

55 reduces the amount of information to be transmitted or 
archived prior to verification. 

The present invention can be used to assist m the detection 
of unauthorized modification of electronic documents. As 
stated above, a document checksum is calculated from the 

60 character codes making up the decument, and stored away 
from that document as part of the signature envelope. The 
document checksum obtained from a modified document 
would be different, and thus the modification can be 
detected. The present invention uses an advanced check- 

65 s mnming method tn hind oignatiTrr envelnpeg tn rinniment* 

in support of a complete electronic metaphor for ink drying 
on paper. Together with the gravity prompt, this assists in 
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maintaining a single intended use for each act of signing, example, the signature verification module 6 and the tern- 

such that a signature submitted on one document cannot be plate database 12 may reside on a single computer system, 

used on another Alternatively, mere may be may signature verification mod- 
ules 6 residing on d iffe r e nt plat form^ all able to access a 

BRIEF DESCRIPTION OF THE DRAWINGS 5 remotely located template database 1Z 

FIG. 1 is a block diagram fflustrating a typical system The signature capture module 4 and the signature verifi- 

architecture according to the present invention, cation module 6 utilize a set of AHs (Application Program 

FIG. 2 is a Hock diagram illustrating a typical system Lrt f f *^ ) *? lp€ f mk signature capture 

ardrtectareaccmo^ m and verification into manycMerent applications, eg., 2a and 

a signature is captured on one platform and verified on a 10 2*>- Applications can determine the coitfext for each agna- 

second platform. ture and the criteria for signature venfication thresholds. 

FIG. 3 shows a window used for capturing handwritten . ^ therepnser^vee^ 

signatures, and an example of a gravity prompt. inirrfemented on International Business Machines Corp/s 

mr \ A clwwc rZjL JrZZL , « Pen for OS/2 (with C++ interface) and on Microsoft Corp.oc s 

ITC.3Ashwsafortoexampk 15 Windows for Pen Onmwting (with C++ and Visual Basic 

FIG. 4 is a flow diagram of a signature envelope life cycle. interfaces). The signature capture module 4 and the signa- 

FIG. 5 is a flow chart imistrating typical steps in a ture verification module 6 are designed to be incorporated 

signature capture process. into or activated by other computer programs. They should 

FIG. 6 is a flow chart illiistrating a typical life-cycle for ^ thus be considered as a seif-cemtained software components, 

a template software object of the present invention. In the representative embodiment, the signature capture 

FIG. 7 is a flow chart illustrating typical steps in a rncwtnle4reQiirrestheava^ 

temrflgte enrollment process. device and a digitizer. Under both Windows far Pen Com- 

FIG. 8 b an entity relationship of the fe os/z > ff^cal display device 

presem invention. 25 supported by the operating system may be used, for 

ITC.9isadiagcamiuustra^ examr^ Wacom, Calcomp, Kurta, etc. In addition, the 

_« ^ my e mc w tt cornputer processor can be any pen-based computer sup- 

c^ect representing a pers^ porting either of these operating systems, such as, for 

DETAILED DESCRIPTION example, Compaq's Concerto computer or IBM's P-Series 

Thinfcp ad computer. 

■T^^^^f' % JSS ^ The signature verification nodule « requires no specific 

fflnstrated in Mock diagram form a typical system utihzmg harf*^^ can be implemented under any center 

the components of the present invention. ,. , . . . . ■* . , .» * ~7*_ 

9 \[ _ operating system wtucn, m tne representative emrxxmnent, 

FIG. 1 shows an architecture where the signature capture supports a C++ ammfler or cross-compiler, 

and verification functions are j^crn^ on the same d _ tim. «^ n t «,« i« *w 

A client appiicatian 2 request, ^ asign^ca^ured. * ^^^Z^"^ ^ 

TTie chent application presents the required information to a '^ar* 

signature capture module 4 (also called a signature capture ** * e f i SDarure capture module 4, for recording acts of 

service), which in turn requests that a user sign his or her signing and creating signature envelopes 10; 

signature using the appropriate b an t uim^ devices, such as, b. the signature verification module 6, for rneasuring an a 

for pptainpfc t a pnmhinatjnn of a ftpnfctigjtjTfx and df^fay ft, signature envelope against an individual's sigriature 

The signature capt u re Tpnrfnig 4 creates a signature envelope profiles, Le^ against "templates"; and 

10, as explained in detail below, and passes (or mates c. the template database 12. 

available) the signature envelope to the client application 2. To illustrate the use of these three subsystems, consider a 

When the client application ^ simple application of signature verification to regulate 

ft passe* signator y gmrrfnpfc 1ft to a gtgnatim wrifir»atift« access to a computer system. The client program 2 in this 

module 6 (also called a signature verification service). The instance will wish to capture a signature and then verify it in 

gigngtnm vftrffifatfftn wwvtitifr 6 ftrwtw a template database order to receive evidence as to the identity of the cornputer 

12 (also called a signatory database) that contains templates user, m this case, the steps to be followed win be: 

of signature information and information as to the "owner** ^ Establish the rfatm*** identity of the user 

ofthe sigiiature,ar^ Capture his signature, together with the time and date of 

the client application 2. signing, and a prompt appropriate to the application 

FIG. 2 shows an architecture where the signature is Using his claimed identity, locate bis signatnre template 

captured on a pen-equipped computer, but verified on a . . ^ «, . 

remote system. In FIG. 2, there are two client applications 55 the s^ 

2c and 2b. In mis emrxxhment, client application 2a resides ^template or tne user. x ^ ^ 

on a pen^uipped compute*^ Jf 5 * dcscribed m of me three 

that a signature be captured. The signatnre capture module subsystems as follows: 

4car^uresasigrtarm^andretum Having es t a blis hed the claimed identity of the user, con- 

a signature envelope 10. This signature envelope 10 can be 60 stnu ^ f 11 empty signature envelope 10 bearing that 

fraitsferred to other client applications, e^. client application user's identifier. 

2b. Client application 2b may wish to have a signature Cause the signature capture module 4 to collect signature 

represented by a signature envelope 10 verified. If so, the data into the sigriature envelope 10, together with time 

client application 2fc passes the signature envelope 10 to the and date and a textual representation of the reason for 

signature verification module 6, which verifies the signature. $5 signing. 

It is noted that the open architecture of the present Cause the signature verification module 6 to locate the 

invention allows far many varying configurations. For template relating to the signatory whose identity was 
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stared in the signature envelope 10, by searching in the optionally, a key used in the generation of an integrity 

database 12 checksum. 

Cause the signature verification module 6 to verify the When the signature capture process is started, a form or 

signature envelope 16 against the found template. window 20 (similar to that shown in FIG. 3) is shown on the 

The signature verification module 6 works in the repre- 5 computer screen and the gravity prompt 22 is displayed by 

sedative embodiment as follows. The difference between the signature capture module 4. (In FIG. 3, the gravity 

each signature measure (obtained from the signature enve- prompt reads Enrollment incomplete — sign to enrolT. This 

lope 10) and the average (obtained from the template) is gravity prompt is used in the enrollment process when 

calculated and divided by the standard deviation for that creating a template, described in further detail below, and 

measure as calculate d during enrollment The highest result- 10 oser he & signing to create a teaimlate.) The 

ing value is stored and all values are totalled and averaged. user may at arry time elect to cancel the transaction by 

The highest value and the average are then scaled by two activating a "Cancel" control displayed on the form, by 

factors to give comparable values, and the largest of these is tapping it with his pen. 

retained ff it is smaller than a given (small) value M, the user ^ ^ re _ st art the signature capture (e.g. if his 

m a a iT nu m scorc of 100 h returned. Likewise, if it is larger 15 ^ ^ jogged) by activating a *t>at"cc^l 26 ma similar 

man a given (larger) value, the minimum scare is returned. manner, ff the user activates an "OK" control 28, then the 

Otherwise, this result is subtracted from M+l and the signature capture is exacted, but subject to the following 

difference multiplied by 100 to grve a value in the range 0 constraints' 

to^mdusive. This value is then returned to the client me ^ ^ a ^ ^ to e^^. 

ReUmring a score to the client ar^lication 2 allows the 20 telengthof the line drawn miist be greater than a certain 

client application 2 to deterrrrine whether, in the context to rmmmum; 

a particular transaction, the signature data must exhibit a certain complexity; 

For ggflmpi^ if the document being signed was a loan the pen must not be static for more man 2 seconds, 

document far $1,000, a score of 75 or higher may be ^ ff any of these constraints is violated, then a message is 

required by the client application 2 as a passing score. displayed to the signatory, the signature is rejected (as if the 

However, if the document being signed was a withdrawal user had operated the "Clear" control 26) and the system 

sup to withdraw $200,000 from a bank account, then the prepares itself to accept another signature, 

client application 2 could require a scare or 95 or higher as At this p^int th^ .qgimtiiT y. ^p^nr module 4 stem into the 

the passing score. 33 signature envelope 10 the following information: 

Using mis architecture, the present invention enables the date and time of the act of signing 

capture and verification of handwritten signatures to take arsvitv m o mi A 

place on drfiierent platforms. The present invention creates a ^ Harmed rfpirrftv «f tfw • *t 

transportable data type recording an act of signing and that lflennty or toe signatory 

is capable of being linked (or ^wrntd^ to a document ^ the identity of the machine on which the signature was 

The present in ventioo can be best understood by reference captured 

to the nature of these three subsystems, the operations which 30 identifier representing the computer program which 

it allows to be performed upon them, and the mechanisms it initiated the signature capture, Le., the client applica- 

provides for their interaction. ti° n 2 

L The Signature Envelope 10 40 measures and statistics relating to the signature, e^. the 

The signature envelope 10 can be considered as a com- shape, to number of rrastrcloes, the overaU time taken 

plex bundle of encrypted data which represents a digital to sign, etc 

recording of a physical act of signing . optionally, a checksum raimfatpri from the computer file 

However; the act of signing is not considered purely as a or document whose reference was originally specified 

physical act: in reality it cannot be divorced from context 45 as the file or document to which the signature that was 

such as the intentions of the signatory, the date and time, the captured relates 

document signed and so forth, The signature envelope 10 optionally, a compressed representation of the image of 

also contains data relating to these essential concomitants. the signature in vector farm 

Before the signature is captured, the signature capture ^ integrity checksum, 
module 4 is povided with the following information, usu- ^ inventioii ^ ^ any alteration of a 
ally from the chent application 2: aignature envelope 10 after the signature has been c 
a summary (in the farm of a short piece of text) of the xhe data maintained in a signature envelope 10 is check- 
user's intention in signing. This is displayed by the summed before encryption so that any n^mh™^ modi- 
signature capture module 4 in a distinctive manner, in ficatton can be detected. 

dose proximity to the area of the computer display 55 As illustrated in FIG. 3A, the client application 2 may 

where the user's signature will be represerited. This supply to the signature capture module 4 an identification of 

short piece of text is known as the "gravity jronrnT, the document being signed and/or nhe reason why (or 

since it indicates the gravity of the act of signing. For fcrn?ortance of) the document rjeing sigited. 11ns information 

example, the gravity prompt might read *T consent to is the gravity r*ompt 22. In me rerxesentative embodiment, 

pay $4930 to George Beale" or 1 agree to sell my ^ me gravity prompt 22 is oispbyed to the user in the signature 

house to Fred Deiining for $23,000" ox "You are capture window 20. This allows the uscr to make sure that 

signing the document entitled Tetter', file name the dc<aiment being signed is the one that the user believes 

letwp* or "Sign to approve Credit A^emenf; he or she is signing, and moreover, alerts the user to reason 

optionally, a reference to a computer file rersesenting a - far and the gravity of the act of signing. In the representative 

document which is to be signed by the user, 63 embodimerit, the gravity rjrom 

whether a visual representation of the signature should be envelope 10. Thus, the gravity prompt 22 can be retrieved 

stored inside the signature envelope 10; and displayed at a later stage by other applications (which 
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could be operating on other platforms). As shown in FIG. 
3A, the document being signed is a consumer credit appli- 
cation of five pages, part of which is displayed in a window 
30. The title of the document being signed is displayed in a 
tine bar 32 far the document by the client application 2. The 
gravity prompt 22 reads "Sign to approve Credit Agree- 
ment" Here, the client application 2 supplied the text "Sign 
to approve Credit Agreement" to the signature capture 
module 4 this text is stored in the signature envelope Id. The 
signature capture window 2ft in FIG. 3A is displayed over 
the window 30 that contains the document being signed. 

The present invention (in the represertfative embodiment 
the signature verification module 6 would perform these 
functions) provides the following functionality, when 
requested by a client application 2, in connection with the 15 
signature envelope 10: 
Disclosure of the claimed identity of the signatory 
Disclosure of the date and time of the act of signing 
If the option to checksum a document was exercised at me 20 
time the signature was captured, an indication of 
whether a given c ompute r file representing a document 
is identical with that originally checksmnmed 
if the option to stare a visual representation of the 
signature was exercised at the time the signature was 25 
captured, the facility to display the signature on the 
computer's screen 
If the option to store a visual representation of the 
signature was exercised at the time the signature was 
captured, the facility to generate a standarcVf armat disk 
file containing the visual representation in bitmap form 
Verification against a template 

Additionally, the present invention can perform the fol- 
lowing functions relating to a signature envelope 10: 
Encoding from memory into a data block for archiving or 

far transmission to a remote system 
Construction of a signature envelope 10 in memory from 

a data Meek retrieved from an archive or via electronic 



METHODS 









coDxcts ti» signature 




draws an imacc of a cantered 






. vntif tat fjfe 


writes jwngT- to a fflfc in TIFF 




writes image to a file id 








iD|jfcj| im^jy* f£ £ fife fn OS/2 




wbrthcr the »^r»> 








fCtD&S wfadbCT tfac ftjflJUhlfT 












captnrc liiatiiitft 


mc_jype 


ictimis type of csptnte maciizDe 








ictiuin **^*' m ^ ID Gtriog 


gravity_pfoaipt 


ictuiua gravity pirwnpf 


werify_fik 




nxiport 


filfa m flic dsitsk ftrim 




cuLiyptfid dstft Mock 


ciyutl 









30 



The data block retrieved from memory is an encrypted 
block of memory containing aimcient data to reconstruct an 
object identical to that which was originally written-out 
Effectively, the data block is an encrypted, portable Mock of 



A typical life-cycle for the signature envelope object of 
me present invention is summarized in FIG. 4. in flow chart 
form, and discussed in detail below. 
Creation (step 100) 

When the software object is created it is initialized to a 
state in which signature capture can be initiated. 
Capture/Import 
Capture (step 102) 
The sequence of events is in the capture process is 
35 representedin farther detail in FIG. 5. The capture step (102) 
is, in the representative embodiment, performed by the 
signature capture module 4. 

If the signature envelope 10 object was captured 
previously, the capture request is denied. 
40 The client program specifies the gravity prompt to be 
displayed; whether the signature rniage is to be retained, and 
whether a document is to be checksummed for ^^nrrfnt 
bi nding. 

If a document is to be checksummed, the file that docu- 



mformation preserving the entire stale of the source object 45 ment is stored in is perused and a checksum built The 



and enabling it to be recreated on the same or a remote 



These data blocks are used to preserve an object in an 
archive, or to transmit a copy of an object to a remote 
system. Essentially the data blocks contain the same infor- 
mation as the original object, but expressed in a trigbiy- 
stractured form such that the data object can be reconstituted 
at a later date from the block of ^ ta 

Iq the representative embodiment, the signature envelope 



is encapsulated as a software object A representation of a 55 204). 



representative embodiment of the present invention uses a 
Message Digest technique to checksum the debarment, such 
as published by RSAInc 
Then the user interface components are displayed upon 

r- 50 the computer's graphics gram in a rfj gh'nrfjw maimer, sn as 
to alert the user to the fact that a seam* and hliwtf n g gignatnm 

is to be captured (see e^, FIG. 1). 

IF the user operates the "Cancer control 24, then appro- 
priate status is returned to the client program (steps 202 and 



typical signature envelope software object is as follows: 
DATA 

signature envelope version number 
marriim* serial number 
machine boot time 
machine type (a number) 

claimed ID (a sequence of characters identifying the 
signatory, recognized by the by the capturing application) 
header text (variable length ASCH text) 
compressed representation of signature's appearance 
file checksum 

keyed internal checksum for integrity 



If the user operates the "dear" control 26 (step then any 
pen data previously collected are dfcearded and the image of 
the abandoned signature is cleared from the display (step 
209). 

60 If the user operates the pen in the signature capture area 

(step 210X data representing the movements of the pen are 

collected and stored in memory (step 212). 
If me user operates the "OK* control 28 (step 214), then 

the signature capture module 4 analyzes die captured pen 
65 data and records certain measurements. In the representative 

ernbodiment, the measurements performed by the signature 

capture module 4 are as follows: 
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Optionally, the pen data without time information is 
compressed, vectorized and stored far purposes of rendering 
an image of the signature, either to the computer display 
screen or to a bitmap file. The date and time of gigninp^ 

machine details and gravity prompt are likewise stored. ^ ^ 

Then a checksum the data 40 ^ ^ eoa^^ ^ ^ determined, 

subsequent alteration (step 216). 



Otherwise, the signatnre image is displayed, scaled appro- 
priatery. 

Bitmap File Generatioa 

Bitmap files are created nsing a standard image file 
format The following formats are candidates used by the 
represeritative emtodrment of the present invention: 

TIFF 

OS/2 Bitmap 
Windows Bitmap 

In response to a request from the client program, the 
system of the present invention win place decrypted infor- 
mation about the following into memory for access by the 
rfiraif program: 

Claimed JD 

Date and/or time of Signature 
Size of exported data block 

Whether or not the signature envelope 10 contains a 
captured signature 

Whether or not the signature envelope 10 contains a 
signature image 

Serial number of machine on which signature was cap- 
tured 

A number representing the type of machine on which the 
signature was captured 
The gravity prompt 

Whether the built-in integrity check succeeds or fails 
Whether or not a given file is identical with that originally 
checksummed when the signature was captured. 
Destruction (step 108) 

Dependent data allocations are destroyed. 
Z The Template 

Templates are not handled directly by client programs 2, 
but instead are accessed through the medium of a software 
coiuponent embodying a database of templates. 

When initially created, a template is blank. The present 
invention rxnnits a client program 2 to detect this and to use 
a succession of sigriature envelopes 10 to "fill in" the 
template This process, known as M enrollmenr*% can be 
likened to a learning process during which the typical 
behavior of a signatory and the respects in which his signing 



The present invention includes a built-in integrity check 
which can be explained as follows. Before encryption, the 
contents of the signature envelope 10, together with a key 
provided by the client application 2, are checksurmned using 
the same technique as is used for checksumming the file. 
Without knowledge of the key used by the original client 
application 2 when it caused the signature envelope 10 to be 
built it would therefore be inmractical to modify the sig- 
nature envelope 10 and regenerate a satisfactory checksum. 
By providing the correct key when performing an integrity 
check, the client application 2 can ensure that (provided the 
key was not disclosed) the signature envelope 2 was not 
decrypted, modified and re-encrypted. 
Impart (step 104) 

Previously-captured signature data is decrypted from a 
memory block and stored appropriately into the data struc- 
ture. 

Data Access (step 106) 

In the represetitative emtodfrnent, data access functions 
are perforated by the signature verification module 6. 
Export 

The data in the signature envelope 10 is stored in a 
memory block and encrypted. 
Render signature image upon the computer display 

If no signature image was requested by the client program 65 
2 which originally captured the envelope, then an error 
status is returned to the client requesting render. 
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During the enrollment phase, the degree of similarity 
between the signature envelopes 10 received will inftn^nr^ 
the quality of the final template If the signature envelopes 
are different enough, then verification becomes impossible 
and the enrollment process is re-started. Otherwise, the 
degree of coherence of the signature envelopes received 
during enrollment can be ascertained when taking into 
account the verification scores: the greater the coherence, the 
greater the reliability of the verification process. 

Because the integrity of a template will be crucial to 
security-conscious application programs, the tmpiatip con- 
tains information about an "owning" application. Only the 
owner of a template can perform certain sensitive operations 
upon it 

A template stores the following information: . 
Average values for signature measures and statistics 
Indicators of the variability of these statistics 
Indicators of the state and quality of the enrollment 
Date and time of most recent signature envelope 10 

verified 
Performance indicators 
ID of the- "owning" program 
Date and t fope of creation 
unique identifier 

The present irrventfen offers the following functionality in 
connection with the template: 
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Disclose the date of creation MftfljUTrernertts fnfowi rtnring thf* signatnrp rarrfnm prnwis 

Disclose the stale and quality of the enroQment and stored in the signature envelope 1G are compared against 

Enroll a signature envelope It (owning program only) m£an fi 6 QTes stored in the template. Account is taken of the 

YTrr nn ^ ^ ^1 ,_^„, 1Ll variability of the user as observed during the ermillrnent 

^ re^m^^ (caning program only) proce^ figures are geoeiate^ 

Verify a agnatnre envelope 1» * age error from the mean, and the other, the maximum 

The venncation procedure am^ divergence from the mean. Then, a function of these two 

2 an indication of the probability of forgery in the form of values is used to generate a score in the range 0 . . . 100. 

a score. This score, perhaps coupled with irrfoririarion about where 0 indicates a miqngtrh and 100 a dose match 

the quality of the enrollment, enable the client program to between the signature envelope and the template This 

make a decision as to the admissibility of the signature based 10 aspect of the signature verification module 6 is diEcussed in 

on its own criteria. detail above. 

Because over the course of time an individual's signature When the client application supplies a signature envelope 

will undergo gradual change, the present invention will in \% fox verification, it also supplies a score value which acts 

certain circumstances "bend" the signature envelope 1ft in as a lower threshold for template update. Template update 

favor of c onsistent variations in the behavior of the signa- ^ (ox lending") see step 318 — t*fcps p> af ^ subject to the 

tory. This Trending** takes place subject to certain internal following conditions: 

checks, and may optionally be suppressed by the client mc verification score is not less than the threshold; 

3 ^ hC ^Z *L 5ignaturc . cm f° pc 'M^verifr** * me vcri fication figures are neither too close nor too far 

older than the most recent signature envelope 10 success- from the mean; 

^^J^w^ 1 ^^^^"!^^ 1 !^^ 3 ^ piaCC * ^ 20 the signature envelope 10 is more recent than the last 

318 of FIG. 6, discussed in detail below.) signature envelopclO verified; 

In the representative embodiment of the present ^ _ & " ^ . V.T7 L ^ ^ . . 

invention, each template is implemented as a software to ^ c higher than the threshold value 

<)bject A typical m^ »PP^ by the ^ P 1 *?^*- ^ ^ 

sunnnaxizedin flow chart form m 1^6 and is described in . ffmese coupons are met (at step 3W), men a ccxrection 

detail below 2S 15 appose to the means stored within the ternrHate, so that 

Creation (step 382) over time the template wffl accommodate itself to consistent 

Whenateiin^stftware^ ct trends in the oratory * s perf ormance When update 

toastatemwhkfaeithereiirom^ ocenrs, the template is time-stamped to facilitate the admnv 

intrtatpa istrauon or multiple or remote copies or the template. 

Enroll ( steo 31ft 30 ^ ear (f^P 312) 

Ths ,^L.i i.lu- .lH L ...L?ii. i— ..jj-u. jiLi-ji^ut The present invention can put the template into a condi- 

r ^^S^-^?^ ^ tic*mwhichitcanbereHmro^ 

when the template is in a noi*enrc41ed contfctoon. retained and the template update date/time is set to the 

The enrollment process is siur imaiized in flow chart form current date/time 

inFK}.7. . .. Data Access (step 366) 

A pre-detenmned minimum of signatures must be sub- 35 Rrtmilment status 

mitted before the system of the present invention will m response to an enquiry whether the template is enrolled, 

attempt to complete the enrollment. Until this point is the system completes a block of informati on (as shown 

reached, data from the successive signature envelopes 10 are below) and this is made available for inspection by the client 

simply stored along with the inchoate template (step 492). program 2> 

Once the rmrnmnni number of signature envelopes has 40 In the representative embodiment, the block of infbrma- 

been received (step 406), the present invention win perform tion comprises: 

certain rfrerits tn determine whptW rhf> «dgnatim> gnvpJnpre 

submitted are consistent enough to generate a template, If 
not, all the signature envelopes are cleared and the template 
is reset to its initial state (steps 414 and 428). if, on the other 45 
hand t the gi gpatnr p envelopes submitted are consistent, thpn , 
the template statistics are generated (step 468), the stored 
signature envelopes are dispensed- with and the template is 
marked as enrolled. 

If, however, the mimTniim number of signature envelopes so 

has been received and the template is susceptible of 3. The Template Database 12 

mmrovement (steps 416), then former signature envelopes A signature template is unique to an individual Once a 

uptoapre-<ieterirmiedir^ tenmlate has been constri^ it can 

congruent set is retained unto a good enrollment can be P 618011 sidenm^,andtoanu^ticatete 

established or imttfein^ whichever is 55 ^ ^t^Z?^ * 

SOOJXX ^ single individual s signature may be of interest to more than 

Tnmnrt (sIeo 3M1 006 client p ro gram 2 or indeed to more than one orgamza- 

iinpmyapjm) tion. The Template Database 12 is designed to make tern- 

PreviomlyKXHnmTed template data is decrypted from a plates avau^eto more than one appfo*ation 2, and thus 

menwryblc<k and stored appro enable the "owner" of a template to gain a commercial 

60 advantage from the possession of an enrolled template by 

Export (eg. step 320) making it available to other cheats for verification purposes. 

The template data is encrypted into a memory block for The database architecture of the template database 12 

archival or transmission to a remote system. supports these flfms as follows: 

Verify (step 314) Before using the database services, client applications 2 

Hie signature verification module 6 permits verification 65 must identify themselves to the system of the present 

of a agnatnre envelope 10 against a fempian* only when the mvention by means of a special identifier generated by 

tenrplate is in an enrolled cortdition. the system. 
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The special identifier is generated when an application generate a unique ID for the application, known as an AID. 

registers with the system of the present invention. At the same time, it also provides information as to the 

Registration is required before a client application can length of the unique identifier it proposes to use to identify 

create templates. persons when accessing their template 

When a ft^f****** is created, a database record containing 5 When a client application 2 needs to create a template, it 

the individual's nanw and a nirfq m user identification may first scan the database 12 for persons already registered 

number (which could be* for example, a national insur- with other applications. When a person is registered, a 

ance number or a social security number) is also template is created and other information (surname, 

created and is henceforth umnodifiable. This record is forename, ""^Hip names, user identification number) are 

used to support rnatching of client applications* differ- jq also stored. Thus it is possible for the application using these 

ent identifiers to the same individual. criteria to determine if the person in question has already 

Hie system of the present invention supports searching registered with another application 2. 

the template database 12for any combination of match- ff 00 notching person has been discovered, a new person 

ing data in order to support the correlation of an identity may be created and added to the database 12. 

with a twnplfltp 15 In the representative embodiment, a person is represented 

Upon creation of a template, or upon matching with a by a so ftware o bject The life-cycle of mis person software 

specific search pattern, the system cf the present inven- object is represented in FIG. 9. The database 12 performs all 

tion provides the client application 2 with the ability to template operations on behalf of client applications 2 

register that application's unique identifier far that through operations upon the person object 

individual; henceforth the client need only supply its 20 A ^ mon ^ ob j«* together with the corresponding 

preferred identifier. This recognizes the fact mat client template, is considered "owned" by the application 2 which 

programs 2 will always have an index of unique creates it Certain operations upon the template, including 

identifiers referring to the individuals whose signatures enrollment and clearing of the template, can be performed 

are to be verified. only by the owning application 2. However, the owning 

m the case thataclierd install^ 23 application may make erirdlrnent available to other appli- 

penmssions, the system of the present invention wffl catioiisbyspe*^^ 

support the conversion of template records into an Q " SE to °~ . ,dH "J . 

encrypted data block for separate archival or transmit /IT* name and urnrpie user identification number as***- 

g^jj ated with a person are used uniquely to identify that person 

The arcriitectare of the presem irrv 30 f^J^f 5 ^ applications. Consequently, these data are irrrmu- 

novd concept of a signature verification bureau, offering a ™* . _ ... . 

remote or networked verification service to any number of Rotation of a Ptoon with an Ah^ob 

different clients 2. Once a person has been created or located by an appb- 

It also supports the remote rnaintenance and adrninistra- ?«*f a P^ a ^ n J™* r ^ ster J** J^° n 

tion of signlto templates. TTnsis of partiailar 35 ltsdf * ^ 18 achieved by providing that applications 

where templates btrilt in a central location need to be ™iq*^ by that 

distnbuted to remote processors for -off-line^ verification ^ ^P* 

independently of the central database. Examples include the ^^f*!* * * e JW^on 2 when it first registers 

use of smart cards, or of a "fleeT of small portable pen- w * ^ ^f^^^'^^^J^^ ™ ^ 

operate* comjHtterXwh^ 40 cation's Umq^ HenUfier (AUTO), henceforth, the AUID 

tor^m^ wmN^bythatan^hc^ 

the equipment in the fieid and ^ .^^T^ ^ A - ^. 

menS^u^oorrect security configuration. M P** 3 * mvcnttt>n constructs a new 

Apuipc^ofateirqrfatedat ihtaba^r^ ^^mmjig the AUID and crosslinks die 

ternplaaTnc«!ed b/aTapplication program, eg,, 2b. 45 n ™ record ™* ^ Previous registrations by &at 

However,thedismictrve* apphcaton^alsowinia^ 

to mate individuals* templates available to more than one P**°* ^fjf z ^ hcatlODS ' database- 

application, in such a way that different applications may be applicahon may scan the database: 

able to share a single template. far 211 Wbcations 

This is achieved by forcing cheat applications 2 to start a 50 for all persons registered with that application 

database session before any database functionality can for all persons not registered with mat application 

become available. When the session is started, the client for all persons subject to matching criteria, 

application 2 must declare its identity. The present invention will "modify** a signature template 

The database 12 uses the concept of a person object to of an individual as the user* s signature changes over time, as 

r epre sen t the template together with unique identifying 55 discussed at FIG. 6, step 318 above. For example, a signa- 

information. All templates stored within the database 12 tory signs his name in more or less two seconds. This varies 

belong to persons, and any person may be registered with wimin about a tenth of a second, so the signature verification 

any application. Any one application may have many people module 6 does not "mark him down" (Le^ does not decrease 

registered with it, and any one person may be registered with his signature match percentage) if the duration of bis sig- 

several applications. This is illustrated by the Entity- 60 nature is, say, 2.1 or L9 seconds. But after a few months 

relationship diagram in FIG. 8. (perhaps out of familiarity with the equipment he is using), 

Initially, before any other database services become the user's signature tends towards the 1.9 second mark, 

available, the client application 2 must make itself known to Because all the other data are pretty much in line with his 

the system. When the application 2 starts the session, it enrollment* the gign^ift* verification module 6 "bends'' his 

declares a public name tedesedbe itself^ by which it will be 65 signature template slightly to follow the pattern of change in 

known to all other applications. It also provides a secret his signing behavior. After a year, he is consistently signing 

encryption key. This key is used by the present invention to at 1.8 seconds, sometimes 1.7, sornetimes L9. By mis time, 
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the mean will have followed his behavior, so that it will now than signatures. For example, the architecture of the present 

be set at 1.8. (If one of his original signatures as captured in invention can be used to create and verify envelopes that 

a signature envelope 19 were now to be re-submitted, and it comprise fingerprint i nfrii fpfltifin t eye pattern information 

had a duration of 2.1 seconds, this might cause a fail to be and voice print information, 

reported.) j 

Software Objects EXAMPLE 

As stated above, the representative ernbodirnent of the As stated above, in the representative embodiment of the 

present invention is imple mented using object orientated present invention, the signature capture module 4 can create 

ptOfetoiiiiiiing trrhniqnrs. The following are representative a checksmn of the document that was gignpd The dnmnwnt 

objects used in the m T pfern f ^n tar io n of the present invention: JQ checksum can be used at a later date to verify mat the 

4.1 The signature envelope object. document alleged to have been signed is me one mat was 

it * to CaCap ^^ ! aCt ° f SignatQre - Ltonany signed, and further, mat no changTto mat dccmnenl has 

4X1 An c*^VesW&e signature image. This ^"^h ^representative enAodirnent, the tonat 

contains me^c^^ - stetement of ^ ^ 

such data; akoto represent the data in Wtoap farmTor « docament ' ^ ^ on S mal document cannot be derived 

dynamicalfy upon the display device. from the document checksum. The document checksum 

4.L2 An object to represent the act of signature itself, oears a niathfiTnattcal relatkmsmp to the document ff the 

divorced from its context. This object contaiiis me sigiiature document is changed, then it can no longer be m athemati- 

measures and subsidiary <fata concerning each individual caHy matched with the checksum. This feature of the present 

pen-^trntee- The p rimar y pan-nra^ of nVfo cttyx* is. tn rpprR^pnt 20 invention can be called signature binding. The following is 

thft meagimHt nwi hy the wrffwM»tff> n fintrtin n_ Tlris ohject m an example of the operation of the signature himfing feature 

turn may relate to a temporary object used at the time of according to the present invention: 

capture, which stores the raw pen data. Given the following sample document: 

4.13 An object to represent the raw pen data and perform *T am glad I was born in Borneo.<QR><LR> w 

elementary analyses thereupon, e.g. number of strokes, 25 which equates to the following data in ASQL 

nmiiber of points, etc^ as we^ 492061 6D 2067 6C 61 64 20 49 20 77 61 73 2062 6F 72 

pen data so mat the object in 4JLZ can generate the mea- 6E20696E2042 6F726B656F2E0D0A 



The checksum is generated using a message digest algo- 

42 The signature template object rimm (such as, for example, the RSA MD4 or MD5 
This object contains the averages of the measures in the 30 algorithm) to produce, for example, a document checksum 

signature envelope 10, as well as the standard deviations of (in hexadecimal) such as the following: 

those measures. It possesses two major aspects of 89F32145AB321AF7C4 11FB76543F0CFC 

functionality, namely, the ability to "learn" or "enroIF from A signature envelope contains the following mf donation: 

a set of signature envelopes, and secondly to perform a version number (integer) 

comparison after enrollment with a signature envelope 10 35 machine serial number (integer) 

effectively, this is the verification function itself. It does not machine boot time (integer) 

retain anything specifically related to any given signature machine and operating system type (integer) 

envelope 10 except for the creation date and tone of the most signatory's claimed ID (variable length, characters) 

recently-signed envelope. This Mormation is made avail- gravity prompt (variable length, characters) 

able to the client application 2 so that it can determine if an 40 signatur e mfftgnres sequence (integers) 

out-of-sequence envelope is being verified. date/rime of signature (integer) 

43 The tonpfate database object signature image (variable length) 
This exists primarily to provide the client application 2 file checksum (characters) 

with a coDvenient means of storage, with encryption, of envelope checksum (characters) 

templates correlated with signatory IDs. It contains two 45 When exported to an encrypted data block, this infarma- 

major sub-objects, these being: tton would be supplemented with the following length 

43.1 An object which maintain* basic information about information: 

people and cross-links this information with the applications total length of the envelope (integer) 

which refer to mem. It does this by maintaining a database length of the signatory's rfatm«i ED (integer) 

of applications and a database of persons, together with two 50 length of the gravity prom pt (integer) 

databases of links. One links each application to all the length of the signature image (integer) (zero if no image) 

people to which it needs to make reference (mis also In detail, die signature image is stored as follows: 

contains the application's c Start co-ordinate 

used at the time of character); the other Hnks each person to Sequence of differences between previous and next 

all the applications which refer to that person. 55 co-cadinate. 

The primary goal of mis object is thus to enable one Each of these data items is composed in the following 

person to be refcrred-to by a number of different apptications way: 

in the way most suited to those applications' purposes. If the next character, when seen as an integer, is negative, 

43.2 An object which maintains the actual templates in a then the remaining bits in that character are used as flags to 
database indexed by a unique identifier — one per person. 60 indicate the following conditions: 

Bom these database objects use subsidiary objects to End of stroke 

manage the types and Qr gam>irtio ns of files most appropriate The next vame is a two characters in length 

to the specific task. Far example, there are indexecV-files, The next-but-one value is two characters in length 

sequential files and linked-list files containing mnlriple The next value is changing sign (negative to positive or 

sequences of items. 65 vice versa) 

The architecture of the present invention can be utilized in The next-but-one value is changing sign 

the capture and verification of biometric information other The next value is a repeat count (always positive) 
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For example, if a signature began with a geometrically 
accurate letter C V\ the image would be represented as 
follows: 

1. Positive charaftrr giving Y coordinate of 20 

2. Zoo character giving X ccninfinate of 0 

3. Negative character with bit set to indicate repeat count 

4. Character with value 10 

5. Negative character with bit set to indicate Y going 
negative 

6. Rxsitrve character giving Y difference of 2 (Le. —2) 

7. EtosMve character giving X difference of 1 

8. Negative character with bit set to indicate repeat count 

9. Character with value 10 

10. Negative character with bit set to indicate Y going 
positive 

11. Character giving Y difference of 2 (now +2) 

12. Character giving X difference of 1 

13. Negative character with bit set to indicate endof- 
stroke. 

Suppose that an client application 2 wishes to capture a 
signature and wishes to attach the signature to the Borneo 
document Under the OS/2 operating system, it will prepare 
the following information: 
The OS/2 identifier for the window (e.g. 30 of FIG. 3A) 
into which the signature capture window 20 will be 
inserted; 

a zero-terminated sequence of characters identifying the 
signatory; 

a zero^enmnated sequence of characters giving the grav- 
ity prompt; 

an integer with a non-zero value if it is desired that an 

image of the signature be capUued; 
a sequence of characters giving the client application's 

secret key for the integrity checksum; 
an integer giving the length of the secret key; 
a zero-terminated sequence of characters giving the name 

of the file in which the document to be checksummed 

is stored. 

The signature capture component will then display the 40 
signature capture window 2fr bearing the appiopiiate gravity 
prompt 22 and die claimed ID of the signatory. It will also 
traverse the designated file and generate the checksum. 
While the user moves the pen over the signature capture 
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at the first computer processes; storing in a signature 
envelope a set of measurements relating to the hand- 
written signature; 

at the first computer processor, creating a checksum of the 
document; 

at the first computer processor, storing the checksum in 

the signature envelope; 
at the first computer processor, storing in the signature 

envelope a claimed identity of the signatory; 
at the first computer processor, encrypting the signature 

envelope to create an encrypted signature envelope; 

and 

providing the encrypted signature envelope to a second 
computer processor. 

2. The method of claim 1 further connxising the steps of: 
at the second computer processor, decrypting the 

encrypted signature envelope; 

at the second computer processor, retrieving a set of 
statistics relating to a genuine handwritten signature of 
a person having the claimed identity as stored in the 
signnturfc envelope; and 

at the second computer processor, comparing the set' of 
statistics with the set of measurements stored in the 
signature envelope to obtain a siniilarity score, 

3. The method of daim 2 further comrxising the steps of: 
at the second processor, creating a second checksum of an 

electronic document; and 
comparing me second checksum to the checksum stored 
in the signature envelope to Hrtpminr if the electronic 
document is a true representation of the document that 
was signed at the first computer processor. 

4. The method of claim 2 further comprising the step of 
providing the similarity score to the first computer proces- 
sor. 

5. The method of claim 2 further comprising the step of 
providing the similarity score to a third computer rxocessor. 

6. The method of claim 1 further comprising the step of, 
at the first computer processor, creating an integrity check- 
sum of the signature envelope and storing in the integrity 
checksum in the signature envelope prior to encryption of 
the signature envelope. 

7. The method of claim 6 further comprising the step of, 
at the second computer processor, decrypting the encrypted 



window 29, the pen data are stored internally m signature envelope and utilizing the integrity checksum to 



X and Y movement values and time-differences. If the user 
then activates the "OK** control 28, these movement values 
are scaled to represent absolute rfigtamy* and are then 

analyzed tn yield thf^ signatore Tnftfl5aTrra Fmalty if an irretjm 

of the signature was requested, the pen data are converted to 
the image sequence (all tuning information is discarded). 

At this point, the client application 2 is informed of the 
cutcome of the interaction by means of a numeric code: 

0. Envelope successfully created 

1. Signature was abandoned — user activated "Cancel** 
control 

3. Invalid (e^g. zero-length) claimed ID 

4. Invalid (eg, zero-length) gravity prompt 

5. Error reading the file which was to have been check- 
summed. 

What is claimed is: 

1- A computer-based method for verification of a hand- 
written signature that relates to a document, comprising the 
steps oh 

at the first computer processor, signing a document by 
electronically capturing a handwritten signatnre of a 
signatory; 
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determine if the signature envelope has been modified. 

8. The method of claim 1 further comprising the steps of: 
at the second processor, creating a second checksum of an 

electronic document; 
at the second computer processor, decrypting the 

encrypted signature envelope; and 
comparing the second checksum to the checksum stored 
in the signature envelope to determine if the electronic 
document is a true representation of the decument that 
was signed at the first computer processor. 

9. The method of claim 1 further comprising the step of 
electronically displaying an image of the document at the 
first computer processor. 

10. The method of claim 9 further comprising the steps of 
60 electronically displaying a prompt summarizing the first 

document and storing the prompt in the signature envelope. 

11. The method of daim 16 further comprising the steps 
of: 

at the second computer processor, decrypting the 

encrypted signature envelope; and 
at the second computer processor, retrieving the prompt 
from the signatnre envelope. 
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12. The method of claim 11 farther comprising the step of 
providing the retrieved prompt to the first computer proces- 
sor. 

13. A computer-based method for capturing a handwritten 
signature that relates to a document, and thereafter verifying 5 
the handwritten signature, comprising the steps of: 

signing a document by electronically capturing a hand- 
written signature of a signatory; 

storing in a signature envelope a set of measurements 
relating to the handwritten signature; 

creating a checksum of the document; 

storing the checksum in the signature envelope; 

storing in the signature envelope a claimed identity of the 
signatory; 15 

encrypting the signature envelope to create an encrypted 
signature envelope; 

thereafter, decrypting the encrypted signature envelope; 

retrieving a signature template of a person having the ^ 
claimed identity as stored in the signature envelope, the 
signature template comprising a set of measurement 
statistics relating to one or mare genuine handwritten 
signatures of said person; and 

comparing the set of measurement statistics stored in the 25 
signature template with the set of measurements stored 
in the signature envelope to obtain a similarity score 
representative of a degree of similarity between the 
handwritten signature captured upon signing the docu- 
ment and the one or more genuine handwritten signa- 30 
tures. 

14. The method of claim 13 further comprising the steps 

of: 

creating a second checksum of an electronic document; 

and 35 
comparing the second checksum to the checksum stored 

in the signature envelope to determine if the electronic 

document is a true representation of the document that 

was signed. 

15. In a computer system having a client application, a 40 
signature capture application and a signature verification 
application, a method for capturing and verifying an elec- 
tronic representation of a handwritten signature, comprising 
the steps of: 

under the control of the client application, 45 

a. requesting that the signature capture application 
capture a handwritten signature; 

under the control of the signature capture application, 

b. enabling a user to electronically enter a handwritten 
signature, 

c. electronically capturing the handwritten signature of 
the user, 

d. calculating a set of measurements relating to the 
handwritten signature, 53 

e. storing the set of measurements relating to the 
handwritten signature in a signature envelope, 

f. storing an indication of the user's claimed identity in 
the signature envelope, 

g. encrypting the signature envelope to create an 
encrypted signature envelope, and 

h. passing the encrypted signature envelope to the 
client application; 

under control of the client application, 
L passing the encrypted signature envelope to the 55 
signature verification application; and 
under control of the signature verification application, 
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j. decrypting the encrypted signature envelope, 
k. retrieving a template comprising a set of statistical 
measurements corresponding to one or more genuine 
handwritten signatures of the user whose claimed 
identity is stored in the signature envelope, 
1. comparing the set of measurements stored in the 
signature envelope with the set of statistical mea- 
surements in the template to obtain a similarity 
score, and 

m. providing the similarity score to the client applica- 
tion. 

16. The method of claim 15 wherein the set of measure- 
ments include pen-down time. 

17. Hie method of claim 15 wherein the set of measure- 
ments include number of acceleration and deceleration 
maxima. 

18. The method of claim 15 wherein the set of measure- 
ments include number of strokes. 

19. The method of claim 15 wherein the set of measure- 
ments include total line length. 

20. The method of claim 15 wherein the set of measure- 
ments include event time skew. 

21. The method of claim 15 wherein the signature capture 
module is located in a set top box of a cable television 
reception system. 

22. A computer-based method for verification of a hand- 
written signature that relates to a document, comprising the 
steps of: 

providing a key; 

at the first computer processor, signing a document by 
electronically capturing a handwritten signature of a 
signatory; 

at the first computer processor, storing in a signature 
envelope a set of measurements relating to the hand- 
written signature; 

at the first computer processor, storing in the signature 
envelope a claimed identity of the signatory; 

at the first computer processor, using the key to create an 
integrity checksum of the signature envelope; 

at the first computer processor, storing the integrity check- 
sum in the signature envelope; 

at the first computer processor, encrypting the signature 
envelope to create an encrypted signature envelope; 

providing the encrypted signature envelope to a second 
computer processor; 

providing the key to the second computer processor; 

at a second computer processor, decrypting the encrypted 
signature envelope; 

at the second computer processor, performing an integrity 
check by utilizing the key and the integrity checksum 
to determine if the signature envelope was modified; 

at the second computer processor, retrieving a set of 
statistics relating to a genuine handwritten signature of 
a person having the claimed identity as stored in the 
signature envelope; and 

at the second computer processor, comparing the set of 
statistics with the set of measurements stared in the 
signature envelope to obtain a similarity score. 

23. Hie method of claim 22 further comprising the step of 
providing to the first computer processor an indication of 
whether the integrity check succeeded or failed. 

24. Ia a computer system having a client application, a 
signature capture application and a signature verification 
application, a method for capturing and verifying an elec- 
tronic representation of a handwritten signature, comprising 
the steps of: 
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under the control of the client application, 

a. requesting that the signature capture application 
capture a handwritten signature, and 

b. providing a key to the signature capture application; 
under the control of the signature capture application, 

c. enabling a user to electronically enter a handwritten 
signature, 

d. electronically capturing the handwritten signature of 
the user, 

e. calculating a set of measurements relating to the 
handwritten signature. 

f. storing the set of measurements relating to the 
handwritten signature in a signature envelope, 

g. storing an indication of the user's claimed identity in 
the signature envelope, 

h. utilizing the key to create an integrity checksum of 
the signature envelope, 

i. storing the integrity checksum in the signature 
envelope, 

j. encrypting the signature envelope to create an 
encrypted signature envelope, and 

k. passing the encrypted signature envelope to the 
client application; 
under control of the client application, 

1. providing the encrypted signature envelope to the 
signature verification application, and 

m. providing the key to the signature verification appli- 
cation; 

under control of the signature verification application, 
n. decrypting the encrypted signature envelope, 
o. performing an integrity check by utilizing the key 
and the integrity checksum to determine whether the 
signature envelope has been modified, 
p. retrieving a template comprising a set of statistical 
measurements corresponding to one or more genuine 
handwritten signatures of the user whose claimed 
identity is stored in the signature envelope, 
q. comparing the set of measurements stored in the 
signature envelope with the set of statistical mea- 
surements in the template to obtain a similarity 
score, 

r. making the similarity score available to the client 

application, and 
s. making results of the integrity check available to the 

client application. 

25. A handwritten signature authentication system com- 
prising: 

means for displaying a gravity prompt; 

means for capturing a handwritten signature; 

means for analyzing the handwritten signature to obtain 

measurements relating to the handwritten signature; 
means for storing said measurements and said gravity 

prompt in a signature envelope; 
means for encrypting the signature envelope; 
means for decrypting the signature envelope; and 
means for comparing said measurements with a set of 

statistics of a genuine signature to obtain a similarity 

scare. 

26. The system of claim 25 further comprising means for 
outputing the stored gravity prompt 

27. A handwritten signature authentication system com- 
prising: 

means for capturing a handwritten signature relating to a 
first document; 
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means for analyzing the handwritten signature to obtain 

measurements relating to the handwritten signature; 
means for creating a checksum of the first document; 
means for storing said measurements and said checksum 

in a signature envelope; 
means for encrypting the signature envelope; 
means for decrypting the signature envelope; 
means for comparing said measurements with a set of 

statistics of a genuine signature to obtain a similarity 

score; and 

means for determining whether a second document is a 
true representation of the first document by utilizing the 
checksum, 

28. The system of claim 27 further comprising: 
means for creating an integrity checksum of the signature 

envelope; 

means for storing the integrity checksum in the signature 
envelope; and 

means for determining whether the signature envelope has 
been modified by utilizing the integrity checksum 

29. A signature verification bureau system comprising: 
a plurality of first processors for capturing handwritten 

signatures, each one of the plurality of first processors 
including: 

means for electronically capturing the handwritten sig- 
nature of a signatory, 
means for storing a set of measurements relating to the 

handwritten signature in a signature envelope, 
means for entering the signatory's claimed identity, 
means for storing the signatory's claimed identity in the 

signature envelope, 
means for encrypting the signature envelope to create 

an encrypted signature envelope, and 
means for communicating the encrypted signature 

envelope to a remote signature verification bureau; 
a central database for storing genuine handwritten signa- 
ture data comprising a plurality of signature templates, 
each signature template including a set of statistical 
measurements; 
a signature verification bureau for verifying handwritten 
signatures, remotely located with respect to each of the 
plurality of first processors and communicating elec- 
tronically therewith, the signature verification bureau 
controlled by a second processor and coupled to the 
central database, the second processor including: 
means for receiving encrypted signature envelopes 

from the plurality of first processors, 
means for decrypting the encrypted signature 

envelopes, 

means for accessing die central database to retrieve 
signature templates corresponding to signatory's 
claimed identity, 

means for verifying handwritten signatures by compar- 
ing the set of measurements stored in the signature 
envelope with the set of statistical measurements for 
the retrieved signature templates, 

means for determining similarity scores representing a 
similarity between the set of measurements stored in 
the signature envelope and the set of statistical 
measurements, 

means for providing the similarity score to the respec- 
tive first processor. 
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